rickert@mp.cs.niu.edu (Neil Rickert) (03/28/91)
I won't quote. Read the References if you want to see related comments. As stated earlier, it is potentially dangerous to use 'F' lines in sendmail.cf to read sensitive files, such as /usr/lib/uucp/L.sys (or whatever your UUCP systems file is called). Some vendors unwisely distribute configurations with such an entry, as it provides a simple way of insuring that all UUCP neighbors are known to sendmail. However, potentially sensitive information such as passwords will leak into publically accessable information such as the configuration freeze file (sendmail.fc), and any core dumps taken by sendmail. Since I originally mentioned this, some postings have questionned the severity of the problem, claiming that mode 0600 on sendmail.fc is an adequate protection. (The 'References:' line will direct you to some of the arguments made.) Given the importance of the issue, it is my tentative plan to post, in about one week's time, details of how to coerce sendmail into providing a core dump containing the sensitive information. HOW TO PROTECT YOURSELF. Examine 'sendmail.cf' for lines beginning with 'F' in column 1. The general format is Fx/full/path/to/file where the 'x' could be any letter, usually upper case. Unless there is a sensitive file (such as your UUCP systems file), you have no concern. If there is a sensitive file, extract the mail related non-sensitive information from that file and place in another file. For example, you could redirect the output of 'uuname' to the file /usr/lib/uucp/uunodes, and use the latter file in place of the L.sys file in your configuration setup. -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science <rickert@cs.niu.edu> Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940
piet@cwi.nl (Piet Beertema) (04/03/91)
As stated earlier, it is potentially dangerous to use 'F' lines in sendmail.cf to read sensitive files, such as /usr/lib/uucp/L.sys (or whatever your UUCP systems file is called). Depends. If you're running 5.64 or older *and* if you do *not* have #define SCANF 1 in your conf.h, then indeed sensitive information can end up in your frozen config file. This is no longer the case in 5.65/IDA-1.4.2 and later, since SCANF is effectively always enabled. -- Piet Beertema, CWI, Amsterdam (piet@cwi.nl)
rickert@mp.cs.niu.edu (Neil Rickert) (04/03/91)
In article <3250@charon.cwi.nl> piet@cwi.nl (Piet Beertema) writes: > > As stated earlier, it is potentially dangerous to use 'F' lines in > sendmail.cf to read sensitive files, such as /usr/lib/uucp/L.sys > (or whatever your UUCP systems file is called). >Depends. If you're running 5.64 or older *and* if >you do *not* have >#define SCANF 1 >in your conf.h, then indeed sensitive information >can end up in your frozen config file. In my original posting, I warned that making the freeze file mode 600 is not a guaranteed protection, since a core dump will also contain a copy of the sensitive information. A number of people have suggested that a core dump is impossible, since sendmail runs with effective uid of root, so cannot be sent a core dumping signal. This however, is erroneous. Normally sendmail begins with an effective uid of root, but it can change its uid during processing. In particular there are many choices of command line parameters which will cause sendmail to relinquish its suid privileges after it has read its configuration. -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science <rickert@cs.niu.edu> Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940
stefan@shiva.systemware.de (Stefan Stapelberg) (04/17/91)
In article <3250@charon.cwi.nl> piet@cwi.nl (Piet Beertema) writes: | | As stated earlier, it is potentially dangerous to use 'F' lines in | sendmail.cf to read sensitive files, such as /usr/lib/uucp/L.sys | (or whatever your UUCP systems file is called). |Depends. If you're running 5.64 or older *and* if |you do *not* have |#define SCANF 1 |in your conf.h, then indeed sensitive information |can end up in your frozen config file. |This is no longer the case in 5.65/IDA-1.4.2 and |later, since SCANF is effectively always enabled. A somewhat better solution is to use the 'uuname' command directly as in: FU|/usr/bin/uuname This works at least since sendmail 5.57, possibly with older version also. Regards, Stefan